Researchers Announce Microsoft Edge Extensions Host Permission Bypass Vulnerability

A few days ago, security researchers announced extensions host permission bypass vulnerabilities and details in Microsoft Edge browser. This problem has been fixed in Microsoft’s routine update in March 2019, but researchers have only published the details of the vulnerability until now based on security concerns. This vulnerability is primarily triggered by browser extensions. In principle, each extension has specific permissions and is subject to manual human review by Microsoft. However, the vulnerability allows an attacker to use a malicious extension to read and access all websites, such as when the mailbox is opened, the extension can read the contents of the message.

Under normal circumstances, the extension program can only apply for the permission of the corresponding function. If there is no permission, the extension program cannot call the corresponding function to read the data. The extension itself has a lot of permissions, such as reading the user’s bookmarks, history, forms and passwords, and locally stored information. Some extension programs require special permissions with large permissions because of the function. For example, the password manager can manage and read the account passwords of all websites. Of course, when the extension is uploaded to the Microsoft Store, it needs to be manually reviewed, so if the audit finds that the permissions do not correspond to the function, Microsoft will refuse to be on the shelves.

When examining the Microsoft Edge browser, the researchers found that JavaScript scripts can be created and executed using a small number of special API interfaces. These scripts bypass the Microsoft Edge browser’s permission review mechanism, which reads content from websites that have not been applied for or approved. Microsoft said that this is because Microsoft Edge browsers do not implement cross-domain policies correctly, so malicious extensions can be elevated to access them.

In actual attacks, hackers can use this vulnerability to read sensitive information from any website, but hackers must convince users to click on a hacker-specific website. When the permission is successfully obtained, the hacker can read the information of all the websites, for example, the hacker can directly read the complete content of the mail when the user views the mailbox.

Microsoft has fixed the vulnerability a few months ago so the researchers have published the full details of the vulnerability, and interested users can click here to view the details of the vulnerability.